Launch of Strategy and Statecraft in Cyberspace research program
8 March 2014
It is an absolute pleasure to be here today at what, I have no doubt, is destined to become one of the world's leading research programs.
- Professor Ian Young, ANU Vice Chancellor and
- Professor Michael L'Estrange, head of the National Security College.
It is common place to compare the Internet with other technology revolutions — the invention of the steam engine or the automobile.
However that shortchanges the Internet and its significance. Already most people in the developed world and shortly most people in the world will be connected to the Internet, and thus to each other.
The Internet has grown without government direction, it has grown across borders and defied, constrained and on occasions toppled tyrants. Its benefits are incalculable.
But there are risks and there are threats and I will discuss a few tonight, but above all we must never forget that the Internet is the most powerful single driver of innovation and commerce in human history and it will not just transform industries and governments, it will change humanity itself.
This policy area known as ‘cyber’ has come to encompass an extraordinary range of issues. For example Cyber-security, internet governance, privacy, data sovereignty, online freedom of expression, cyber-crime, intellectual property.
At times these issues are confusingly and unhelpfully conflated in public debate. However it is also true that there are many interdependencies between them and the policy responses to them.
A necessary consequence of this conflation and interdependence of is that many parts of government are involved.
Here in Canberra the Department of Communications, the Australian Signals Directorate, the Attorney-General's department, the Department of Prime Minister and Cabinet and the Department of Foreign Affairs, to name just some, all have an important role to play both in domestic and international cyber policy debates.
Today I will speak mostly about the growing debate, some authors have described it as “a war”, over the governance of the Internet.
But before I do I will make some observations about cyber security.
The Internet age, the digital age, has turned many paradigms on their heads.
Consider remembering. For all of human existence to date the default has been to forget — we had to go to great lengths to remember things, whether by painting them on a cave wall or a canvas or committing them to memory or writing them in a book or pasting snapshots in a photo album.
Now the default is to remember — and forgetting, or deleting, requires great effort and in many cases is not achievable. And it is not just Facebook selfies involving a surplus of alcohol and a deficit of decorum that change this paradigm.
A lot of information which in the analogue age may not have been actually deleted, was in fact forgotten — lost in a filing cabinet or the stacks of a library and could only be found, with some considerable effort. Now it is available in a few clicks on a smartphone — a device a now to be found in the hands of 73% of Australians and by 2019 in the hands of 5.6 billion people around the world.
Not only is information getting harder if not impossible to forget more of it is being stored and in hitherto unimaginable quantities, indeed 90% of all the information in the world has been created in the last two years. (I note however that this claim made by IBM says nothing about the quality of the data)
This has considerable implications for cybersecurity, as we have seen with Mr Snowden's burglary.
The spy of yore may have been able to steal a few cables from the Ambassador's safe — the spy of today can steal millions of files.
Our ability to make, transmit, store and process vast amounts of data creates huge vulnerabilities as well as opportunities.
This has given both those who seek to protect us and those who seek to harm us the ability to delve deeper and deeper into our lives.
It has enabled us to access data, with or without authority, at the other end of the world without any physical presence at the site of the data we are accessing.
This has made a profound change in the context of signals intelligence — an activity which began with listening to radio waves travelling through the atmosphere, like sitting in the back of a restaurant and listening to the diners' conversations and now can be more like backing up a truck and sending in a huge team to copy a warehouse of documents.
Associated with this is the ability to publish hitherto confidential information, without any practical means of restraint. In the past publication could be restrained by taking action against media platforms — they have an address. But the global hyperplatform of the Internet means that once confidential information has been stolen the chances of preventing its publication are negligible.
The ability to publish without restraint changes another paradigm. Consider the Snowden revelations of NSA surveillance of foreign governments and officials. Had those governments become aware of this type of surveillance they may have shrugged their shoulders, they may have made a quiet protest, they would certainly have sought to close the vulnerabilities which were being exploited. But they would have been most unlikely to make that surveillance public.
However the combination of the ability to steal vast amounts of data plus the ability to publish it universally and potentially simultaneously means that a foreign government presented with a public revelation that it is being spied on will have no choice but to protest and loudly.
And this has changed the risk reward calculus for signals intelligence — no doubt a key area for consideration in this programme.
Cyberspace as a domain
A common phrase, I have used it myself, is the “digital economy”. We should think about dropping it. The reality is that the economy is thoroughly dependent on the connectivity afforded by the Internet and becoming more so. There is an economy and it is digital.
We see it in the statistics: in 2012, there were 8.7 billion connected objects globally; by 2020 there will be 50 billion.  Cyberspace is often described as a domain — like land, air, sea or space. But it is unlike all of them, because not only is it entirely man-made it has been built, is operated and owned almost entirely by the private sector and is in large measure beyond the control of any government whose jurisdiction is limited by geography.
The bodies, like ICANN, that settle the standards and protocols and manage the critical domain name system are not agencies of governments but essentially confederations of interested and like minded parties which have grown up organically and are described with the unwieldy term of a “multi stakeholder system”.
Cyberspace is a place where states and other actors compete and assert power as they pursue their own national strategic, security and economic interests.
That means enormous political pressures are at play around the governance of this online world, a world built on openness and freedom and now subject to fierce scrutiny.
Because the Internet began in the United States and because ICANN has a foundation agreement to administer the Domain Name System with the US Department of Commerce, there has been growing criticism of what is seen as the US centric nature of the Internet.
Of course the governance of the Internet is thoroughly internationalised as the membership of ICANN (not to speak of other bodies like the World Wide Web consortium) attests.
But this model is under attack — a range of governments are now calling for the governance of the Internet to be placed under formal management by Governments, through the United Nations for example.
Their motives differ. Some like Russia andChina and Saudi Arabia have been felt threatened by the freedom of the Internet and sought to more control over its content.. Others simply resent the historic role of the United States and no doubt imagine that if the Internet was not governed by a California not for profit, the innovation of Silicon Valley would find its way to their country as well.
This is dangerous ground: once States start competing for a greater voice, greater control, we are absolutely kidding ourselves if we imagine only those with benign objectives will eventually get it.
Maintaining an open, global cyberspace system not dominated by governments is one of the key strategic issues of our time and it is a goal the Australian Government is committed to pursuing.
There are two competing key visions for the governance of the internet.
One is of a globally interconnected and open system subject to multi-stakeholder governance where states participate but do not dominate: the status quo.
The other seeks to put the state at the forefront of cyberspace and the internet, upholding the concept of state sovereignty in cyberspace.
Such an approach could be the the beginning of a journey towards a balkanised internet — where each country runs its own DNS root and effectively creates its own national intranet or walled garden. China has gone some way towards this, what if other countries followed?
Of course the Snowden revelations have supercharged this criticism of the status quo leading to charges the United States is abusing its central role in the Internet. However, espionage and surveillance is not connected to the governance of the Internet, its open architecture agnostically enables all those seeking access legitimately or not.
Australia supports the existing multi-stakeholder approach to internet governance that has evolved organically, and successfully. Under this model, the private sector, governments and users all participate in shaping the evolution and use of the internet. Multi-stakeholder arrangements maximise access and opportunity to the benefit of all.
The status quo works. That is undoubted. But it has grown organically — you could say of it as a French diplomat (no doubt apocryphally) said of a treaty “It works in practice, but not in theory.”
That doesn't mean there are not significant issues to manage; cyber-related security considerations we need to take into account in maintaining and developing any sort of internet governance.
They are things like:
- systemic vulnerabilities in the infrastructure of globalisation and military power
- friction between private sector actors who manage the internet and public sector actors who are supposed to defend them
- the mismatch between the pace of policy formation and the pace of technological change.
- coordination challenges for government agencies responsible for national security, law enforcement and industrial policy, and
- those major normative disagreements about how the internet should be managed domestically and internationally that I've already referred to.
In looking at these problems, real as they are, we need to avoid a tunnel vision — to avoid becoming over-focussed on potential threats and control at the expense of the flourishing, and often surprising and unexpected, economic and social opportunities.
We must … and we want to … continue to encourage dynamism and growth, collaboration and creativity in cyberspace while preventing malicious activity and encouraging the protection of basic rights.
We need conceptual clarity on cyberspace issues: for instance to differentiate between the protection and defence of networks, and issues relating to competition between states in cyberspace, that is, between cyber security questions and international security questions.
The internet and cyberspace policy issues are now issues for the policy mainstream, integral to overall domestic and international policy development. Internet governance and cybersecurity issues are being dealt with routinely in a range of forums and high level meetings such as the G8 and APEC Leaders meetings. They are being debated in civil society circles, by foreign and strategic policy think tanks, at united nations fora, and inside governments across the world.
I think it not unreasonable to suggest that trust in cyberspace is diminished. Many citizens have lost faith in the activities of their governments and, in some cases, are beginning to question the privacy and data use policies of the large online platforms like Google, Facebook, Twitter, Yahoo. Governments have lost faith in each other — witness Brazil's reaction to the NSA disclosures and the ongoing debate between the US and China on cyber activities. And, corporations are losing faith in governments — as evidence see Yahoo's denials that it authorised or was aware of the NSA's collection of images from its video-chat service.
The two issues are not the same, but there is little doubt that debates about governance of the internet are being coloured by the debates arising from Snowdon.
Significantly, in recent times, we have seen the European Commission come forward in support of the current multi-stakeholder model of governance but advocating the need to ‘globalise’ the framework. Brazil too has stepped forward to make a contribution to the debate by arranging and hosting an internet governance conference in April this year — the objective of which is to agree a set of principles for internet governance. We have also seen Chatham House and the Centre for International Governance Innovation establish the Global Commission for Internet Governance chaired by the Swedish Foreign Minister.
This research program at the National Security College is timed to make a significant contribution to these policy debates. The international community is engaged in elaborating how the rules that apply offline apply online. This is a long-term task, a negotiation between competing interests that is proceeding through different bodies of international and national law.
Australia is actively engaged. We chaired the UN Group of Governmental Experts on Cyber which last year released a landmark report affirming that international law, in particular the UN Charter, applies to States' use of cyberspace. This lays the foundation for all other work in this area.
We're active in working on cyber issues in the ASEAN Regional Forum.
We support the work of the International Telecommunication Union to assist in developing standards and building capacity, particularly among developing countries.
We also support the work of ICANN — the Internet Corporation for Assigned Names and Numbers.
The fact there are differing views and, yes, tensions about the governance of cyberspace causes concern in some quarters about the worst case scenario. What about the role of cyber tools and techniques in conflict? What about terrorist use of the internet? What about the suggested balkanisation of the internet?
Some of these uses are still hypothetical — as Peter W Singer has pointed out recently, squirrels have taken down the power grid more times than the zero times that hackers have.
And while we should not diminish the threat from remote cyber thieves, the fact is that the two most notorious breaches of United States security information were the consequence of US Government employees downloading millions of files onto their own external mediums.
As is often the case the biggest vulnerability was neither hardware nor software but warmware.
Because cyberspace covers many functional, jurisdictional and intellectual borders, a basic challenge is simply to develop useful theoretical concepts to analyse them.
Which is where the ANU's National Security College and the Strategy and Statecraft in cyberspace research program comes in.
The classic paradigms of political science tend to emphasize States as the primary actors in the world and neglect the role technology plays in facilitating political behaviour.
One of the key challenges in analysing cyberspace is accounting for relationships between non-state actors with global reach — firms and hactivists for example — and state actors with limited influence on the architecture of the internet.
What we need
We need theoretical tools that can handle the reciprocal relationships between technological resources and the diverse economic, political and social communities that utilise them.
We also need intellectual rigour focused on thinking about how policy settings fit into this complex web.
The NSC's research program
The NSC, the purpose of which is to enhance strategic understanding and critical thinking about Australia's national security, is responding to this challenge.
Today, I am launching the NSC's new international and interdisciplinary research program Strategy and Statecraft in cyberspace.
The program brings together research centres from five universities in Australia, the UK and the US:
- The National Security College here at the ANU
- The Centre for Research in Complex Systems at Charles Sturt University in Bathurst
- The Centre for Applied Cybersecurity Research at Indiana University in Bloomington, Indiana;
- The Strategy and Security Institute at the University of Exeter in the UK; and
- The Institute on Global Conflict and Cooperation at the University of California San Diego in La Jolla.
I am also pleased the program will unite the expertise of researchers from the natural sciences, social sciences and the humanities. It will provide a hands-on environment for advanced teaching in cybersecurity, political science, international relations and international law.
The program aims to better understand cyberspace as a domain, and will create an integrated conceptual, analytical and computational modelling framework to explore this new frontier. It will allow scholars to create and test hypotheses about security in the cyber age.
As the program develops, its modelling framework will provide an environment in which policy makers can road-test new policy ideas that will shape the cyber domain into the future.
The program will create a resource for government to generate and test policy options.
It will provide a rich environment within which corporations can embed their own models to explore their own cyber strategies
The NSC and its partners will use the outputs of the program in advanced teaching of postgraduate students.
The research involved in the development and testing of the modelling framework will provide thesis material for one or more doctoral candidates
The program will also allow other researchers to test their cyber hypothesis.
Strategy and Statecraft in Cyberspace is exactly the research program we need… and has come exactly when we need it.
Cyber infrastructure provides new connectivity between actors and new tools for them to use, but it doesn't free them for the constraints of power-based competition and institution-based cooperation.
It is a complex socio-technical system of many layers… and many players.
Understanding cyberspace in all its wonderful complexity is critical to harnessing its benefits and managing its threats.
I know this centre will lead the way in that understanding, and ultimately help all nations navigate a way to a safe and stable cyber future.
 See “The Global War for Internet Govenance” by Laura DeNardis Yale, 2014
 See Science Daily 22 May 2013
 Cisco How Many Internet Connections are in the World? http://newsroom.cisco.com/feature-content?type=webcontent&articleId=1208342